The hazzle of LE Cert updates


#1

Hey everyone,

I’m fighting LE cert upgrade problems since the early days. I think this is probably related to my VPS sitting behind a NAT (can’t change anything with that, it’s how the provider handles networking).

However nearly all LE updates seem to fail when run in cron. If I run

ee site update --le=renew --all

manually it works but the script stops after every renewals outputting a

{'my@email.com': (451, b'4.3.0 <my@email.com>: Temporary lookup failure')}

But: the update of the cert worked. If I rerun the renewal it skips this site as the update worked.

After all I think the problem isn’t with the renewal but with the way EE scripts work to verify.

Does anyone have a hint how I could work around this problem or fix it?

Thanks, Frank


#2

hmm really no one? I just received the next emails from LE telling me that Certs are expiring even though crons are set.

I can’t see anything on /var/log/ee/ee.log or /var/log/letsencrypt/letsencrypt.log

The latter was last updated in November :confused:


#3

Can you post your cronjob example that fails the auto renewal?


#4

cronjob example? It’s the default cronjob generated by EE

0 0 * * 0 ee site update --le=renew --all 2> /dev/null # Renew all letsencrypt SSL cert. Set by EasyEngine


#5

OK, now just add sudo in front of this command and it should be fine.


#6

really sudo? This in the root crontab and should be run as root. Why sudo?


#7

All EE commands should run under sudo


#8

Why do you say that? When did this change?

Since the beginning I’m aware that all EE commands must be run as root not with sudo. What am I missing?


#9

No, nothing changed. What I meant is it should be run either as root, or if a different user is used with sudo command. Either will do.


#10

so then we’re back again without any changes. As the command is already run from the root cron the user rights shouldn’t be an issue.

Any other idea where I might start bugfixing? No one else with this problem?


#11

at least sometimes it looks that the only real problem is that nginx doesn’t get reloaded after renewing the cert and therefore doesn’t use the renewed cert.


#12

Not sure, my issue was the sudo missing in the crontab command, as soon as I added it no more problems since.


#13